When GDPR became effective in May 2018, it easily became the most arduous set of data privacy requirements to be put into place. Essentially, the CCPA is the less-strict little sister to GDPR with provisions and privacy obligations similar to those of GDPR.

Whether you’re a small Shopify merchant or a large enterprise, ignoring CCPA (or GDPR for that matter) requirements isn’t wise.

The good news is if you prepared for GDPR, you won’t have to start over to be in compliance with CCPA. That being said, you won’t have all of the bases covered if you’re relying on your measures taken to prepare for GDPR to ensure your compliance with CCPA.

Here’s what you need to know about the similarities and differences between the two sets of privacy laws.

Before we jump in on what you need to know, we need to include one incredibly important detail (aka disclaimer): We are not attorneys andthis article is not intended to be legal advice and should not be used in place of seeking advice from your attorney.

No. 1: What is CCPA anyway?

The CCPA is a comprehensive data privacy law enacted in the U.S. The goal of CCPA is to increase consumer protection and individual privacy rights for the residents of California. This law becomes effective Jan. 1, 2020.

CCPA is focused on how California residents’ personal information (PI) is handled by businesses and other third parties. Section 1798.140 of CCPA defines personal information as:

“Information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

Examples of identifiers and data covered by CCPA includes (but not limited to):

Real name

Alias

Postal address

Unique personal identifier

Online IP address

Email address

Account name

Social Security number

Driver’s license number

Passport number

Property records

Biometric info

Employment related data

Internet search and browsing history

No. 2: Who is protected?

Simply put, CCPA protects the PI of consumers (individuals) who reside in California whereas GDPR applies to “data subjects” in the EU.

A business must still comply if they process the data of the consumers/data subjects located in the jurisdictions where these laws apply even if they don’t have a physical location in California or the EU.

One distinction with GDPR is that all businesses located in the EU must comply with GDPR. Under CCPA, businesses in CA must only comply with CCPA if they meet one of the below criteria.

No. 3: How are they applied?

CCPA applies to the collection and sale of PI. However, CCPA only applies if a company does business in California (an online presence counts!) and meets one of the following criteria:

More than 25 million USD in annual revenue

Annually purchases, receives, sells or shares, for commercial purposes, in combination or alone, the personal information of 50,000 or more consumers, households or devices

Derives more than half of its annual revenue from selling PI

CCPA does not apply to:

Health providers and insurers under HIPAA

Banks and financial institutions subject to GLBA

Credit reporting agencies under the FCRA

GDPR applies to the processing of PI data regardless of the company size of amount of annual revenue they generate.

No. 4: What are the rights of a consumer/data subject?

Both CCPA and GDPR provide rights to view and access data collected by businesses, and businesses are required to, upon request, delete personal data (there are exceptions) and disclose details on how they handle/process PI.

CCPA

Data access rights are not limited. There are no exceptions to a consumer’s right to access the data a business stores on them.

The right of a consumer only applies to the sale of data, not to the processing of data.

Consumers can request their data be deleted, with exceptions that include:

Retained for legal obligation

Security purposes

Complete a transaction

To fix errors in server logs, software programs or other data

GDPR

The right to opt out applies to the processing of personal data, regardless of the type of processing of the data. There are exceptions, similar to CCPA. We recommend speaking with your attorney on exception guidance.

Deletion of data is granted if it is no longer required for the original purpose it was collected.

No. 5: What are the legal grounds for processing data?

CCPA does not list the legal purpose for the collection and selling of PI.

CCPA states that PI must be processed for the identified purpose, and businesses must obtain prior authorization from the consumer before processing. If the data collected is publicly available, then that information is not covered under CCPA.

However, under Article 6, GDPR does define and outline the legal purpose(s) that PI may be processed.

No. 6: What are the ways an individual can contact and submit a data request?

CCPA requires two ways for a consumer to submit their request, such as:

email address

web form

1-800 number

GDPR only requires that data subjects be able to submit their data requests:

in writing

orally

other electronic methods

No. 7: How long do I have to respond to a request?

Under CCPA, companies have 45 days from receipt of a request to respond. The response deadline may be extended an additional 45 days.

GDPR requires a response within 30 days of receipt from the request with the ability to extend the response deadline an additional 60 days.

It is important to note that for both, a response needs to be sent by the initial response period, even if it is only informing the requestor that the response will be extended.

No. 8: What period of data collected do I have to provide?

For CCPA, a business needs to disclose specific categories of data and the PI it has collected or sold in the 12 months prior to the information request. Categories of data that must be shared with the consumer include:

PI collected about the consumer

Categories of sources from where the information was collected (such as a third party or directly from the individual)

The purpose for collecting or selling the information

Categories of third parties that the information may be shared with (type of business/service)

The specific pieces of PI the business has collected on the consumer

With GDPR, there is no defined collection period. Meaning, a company that grants an information request will have to disclose, return or delete all data it has stored — not just limited to the past 12 months.

No. 9: What does CCPA mean for companies that did not need to comply with GDPR?

If a business does not meet one of the above listed criteria (see No. 3), they are not required to directly comply with CCPA.

You’re off the hook, right? Not so fast…

Just because you may not be required to directly comply doesn’t mean there won’t be a need for you to comply in the future. It’s better to be prepared and understand what is required by privacy requirements than to be surprised by them in the future.

No. 10: Can I use the Lucky Orange service and be CCPA compliant?

Out of the box, Lucky Orange anonymizes keystroke data. Characters within form fields are replaced with an asterisk before any data is sent. Reducing the collection of PI and sensitive data means less risk for all parties.

Lucky Orange customers have access to our security tool that puts control of the collection of data into the hands of the site visitors. Our customer’s site visitors can view what data has been collected by the Lucky Orange service, and independently have the ability to delete any stored tracking history and prevent future tracking on the site visited and collection of data by the Lucky Orange service.

Have more questions for us about our CCPA or GDPR compliance? You can reach us at privacy@luckyorange.com with any compliance questions you may have.